and Verifiable Deletion under Coercion (prototypes)
To be presented at NDSS'15.
For users in possession of password-protected en-
crypted data in persistent storage (i.e., "data at rest"), an obvious
problem is that the password may be extracted by an adversary
through dictionary attacks or by coercing the user. Techniques
such as multi-level hidden volumes with plausible deniability, or
software/hardware-based full disk encryption (FDE) cannot ade-
quately address such an attacker. For these threats, making data
verifiably inaccessible in a quick fashion may be the preferred
choice, specifically for users such as government/corporate agents,
journalists, and human rights activists with highly confidential
secrets, when caught and interrogated in a hostile territory.
Using secure storage on a Trusted Platform Module (TPM)
and modern CPU's trusted execution mode (e.g., Intel TXT),
we design Gracewipe
to enable secure and verifiable deletion of
encryption keys through a special deletion password. An attacker
cannot distinguish between a deletion and real password. He can
guess the real password to unlock the target encryption key only
through the valid Gracewipe environment; guessing the deletion
password will trigger deletion of the real key. When coerced,
a user can fake compliance, and enter the deletion password;
and then the user can prove to the attacker that Gracewipe has
been executed and the real key is no longer available (through
a TPM quote), hoping that a reasonable adversary then will
find no reason to keep holding the victim, and may even release
her. We implement two prototypes of Gracewipe: software-based
FDE system with plausible deniability (using TrueCrypt with
hidden volume), and hardware-based FDE (using a Seagate self-
encrypting drive (SED)). Our choice of booting Windows at the
end of a Gracewipe session (for the possibility of immediate
adoption), poses some unique challenges. Through the design and
prototypes of Gracewipe, we hope to raise awareness of a special
but critical use-case of FDE systems.
Scenarios where you may need
Gracewipe (not limited to):
1. Coercions (physical or juridical).
destruction of secret is more preferable.
2. Emergent deletion.
an adversary is close-by.
1. Undetectable deletion trigger.
2. Quick and uninterruptible deletion
3. Cryptographical verifiability.
to the adversary that the deletion does happen and recovery is
4. Bypassing Gracewipe does NOT give
access to the secret.
1. The adversary is hostile and
coercive, but rational.
2. The functionality and known good
"state" values of Gracewipe is publicly available.
3. The encryption mechanism that
Gracewipe is built on (e.g., TrueCrypt and SED) should be reliable.
For a complete list of
assumptions and unaddressed attacks, check section Threat
model and assumptions
in the paper.
Current two prototypes:
TrueCrypt based Gracewipe
SED based Gracewipe
More detailed description and
instructions (to come)
How to obtain the source code
and help improve Gracewipe:
Please drop a note to
Just note that this tool is still in
its proof-of-concept stage and may not be readily deployable as other
tools are. However, we welcome inquiries and would like to work
together to have it work on a given system.